[maglev] Properly handle merged feedback in property load

verwaest · V8 LUCI CQ · commit a58cca820d04 · 2024-06-21T14:27:03.000Z
- deal with no merge state being allocated - heap number map feedback can end up being wrong, so pre-check before adding the smi case. Otherwise we'll try to go to a block that's never generated Bug: 342451738 Change-Id: Ie6736798656136456dba00f7a36903b4786cab1e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5646187 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Auto-Submit: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#94586}
diff --git a/src/maglev/maglev-graph-builder.cc b/src/maglev/maglev-graph-builder.cc
@@ -702,14 +702,14 @@ void MaglevGraphBuilder::MaglevSubGraphBuilder::EndLoop(LoopLabel* loop_label) {
 
 ReduceResult MaglevGraphBuilder::MaglevSubGraphBuilder::TrimPredecessorsAndBind(
     Label* label) {
-  DCHECK_LE(label->merge_state_->predecessors_so_far(),
-            label->predecessor_count_);
+  int predecessors_so_far = label->merge_state_ == nullptr
+                                ? 0
+                                : label->merge_state_->predecessors_so_far();
+  DCHECK_LE(predecessors_so_far, label->predecessor_count_);
   builder_->current_block_ = nullptr;
-  ReducePredecessorCount(label, label->predecessor_count_ -
-                                    label->merge_state_->predecessors_so_far());
-  if (label->merge_state_->predecessors_so_far() == 0) {
-    return ReduceResult::DoneWithAbort();
-  }
+  ReducePredecessorCount(label,
+                         label->predecessor_count_ - predecessors_so_far);
+  if (predecessors_so_far == 0) return ReduceResult::DoneWithAbort();
   Bind(label);
   return ReduceResult::Done();
 }
@@ -4630,8 +4630,15 @@ ReduceResult MaglevGraphBuilder::TryBuildNamedAccess(
           return ReduceResult::Fail();
         }
         if (map.IsHeapNumberMap()) {
-          DCHECK_EQ(number_map_index, -1);
-          number_map_index = i;
+          GetOrCreateInfoFor(lookup_start_object);
+          base::SmallVector<compiler::MapRef, 1> known_maps = {map};
+          KnownMapsMerger merger(broker(), base::VectorOf(known_maps));
+          merger.IntersectWithKnownNodeAspects(lookup_start_object,
+                                               known_node_aspects());
+          if (!merger.intersect_set().is_empty()) {
+            DCHECK_EQ(number_map_index, -1);
+            number_map_index = i;
+          }
         }
       }
     }
diff --git a/test/mjsunit/regress/regress-342451738.js b/test/mjsunit/regress/regress-342451738.js
@@ -0,0 +1,29 @@
+// Copyright 2024 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --jit-fuzzing --efficiency-mode
+
+function f1( a3) {
+    try { a3(); } catch (e) {}
+    class C6 {
+    }
+    const v7 = new C6();
+    function f9(a10, a11) {
+        a11.propertyIsEnumerable();
+        const t6 = a11.constructor;
+        const v14 = new t6();
+        v14.constructor;
+    }
+    f9(7, v7);
+    for (let v17 = 0; v17 < 25; v17++) {
+        const o18 = {
+            "deleteProperty": f9,
+        };
+        const t17 = o18.deleteProperty;
+        t17(3653, o18);
+        o18.deleteProperty(v17, 2);
+    }
+}
+f1(f1, f1);
+f1();
